This chapter covers AWS Organizations, the foundational service for managing multiple AWS accounts at scale. It explains how to create a hierarchical account structure using Organizational Units (OUs), apply governance guardrails with Service Control Policies (SCPs), and design a multi-account architecture that meets security and compliance requirements. For the SAA-C03 exam, approximately 10-15% of questions touch on Organizations, SCPs, or multi-account strategies, often in the context of Secure Architectures (Domain 1) or Cost Management (Domain 4).
Jump to a section
Imagine a multinational corporation with a headquarters (HQ) and several wholly-owned subsidiaries in different countries. The HQ sets global policies: no subsidiary may hire employees below minimum wage, all subsidiaries must use approved accounting software, and no subsidiary may enter into contracts over $1M without HQ approval. These policies are enforced by a central compliance officer at HQ who reviews all major decisions. Each subsidiary has its own local management that can make day-to-day decisions (e.g., hiring, purchasing office supplies) as long as they don't violate global policies. The subsidiaries operate independently but are ultimately owned by HQ. If a subsidiary tries to violate a global policy (e.g., signing a $2M contract without approval), the compliance officer blocks it. However, the subsidiaries can still make local policies that don't conflict with global rules. In this analogy, AWS Organizations is the corporate structure, the management account is HQ, member accounts are subsidiaries, Service Control Policies (SCPs) are the global policies enforced by the compliance officer, and Organizational Units (OUs) are groupings of subsidiaries (e.g., by region or business unit). The SCPs act like guardrails: they define what actions are allowed or denied across all accounts in an OU, but they do not grant permissions themselves—that is done by IAM policies within each account (like local management decisions).
What is AWS Organizations?
AWS Organizations is a global service that enables you to consolidate multiple AWS accounts into a single organizational unit. It provides centralized management of billing, access control, compliance, and resource sharing across accounts. The service is free of charge and is a prerequisite for many advanced AWS features such as AWS Single Sign-On (SSO), AWS Control Tower, and consolidated billing.
At its core, AWS Organizations creates a hierarchy with one management account (formerly called the master account) and up to 10,000 member accounts (by default, but can be increased via support request). The management account has full administrative control over all member accounts, including the ability to create new accounts, invite existing accounts, apply policies, and view consolidated billing data.
How It Works Internally
When you create an organization, AWS automatically creates a root container. All accounts (management and member) reside under this root. You can then create Organizational Units (OUs) — logical containers that group accounts with similar needs (e.g., Production, Development, Sandbox). OUs can be nested up to 5 levels deep. The hierarchy is a tree structure: root → OU → sub-OU → account.
Policies, such as Service Control Policies (SCPs) and backup policies, are attached to nodes in the hierarchy (root, OUs, or directly to accounts). When a policy is attached to a node, it applies to all accounts within that node and all child nodes. This is called policy inheritance. For example, an SCP attached to the root applies to every account in the organization. An SCP attached to the Production OU applies only to accounts in that OU and its sub-OUs.
Key Components and Defaults
Management Account: The account that created the organization. It has full access and cannot be changed without deleting the organization. The management account is not subject to SCPs (by default) — it always has full admin access.
Member Accounts: Accounts that are part of the organization. They can be created via the Organizations console or invited from existing AWS accounts. Member accounts are subject to SCPs.
Root: The top-level container in the hierarchy. It is always present and cannot be deleted.
Organizational Unit (OU): A container for accounts. OUs can have parent-child relationships. Maximum depth: 5 levels.
Service Control Policy (SCP): A JSON policy document that specifies the maximum permissions for accounts in the OU. SCPs do not grant permissions; they define a permission boundary. By default, an SCP called FullAWSAccess is attached to the root, allowing all actions. When you attach a restrictive SCP, you must explicitly deny or allow actions.
Default SCP: When you enable SCPs in your organization, a default FullAWSAccess SCP is attached to the root and all OUs. To restrict permissions, you must attach a custom SCP that denies actions or replace the default.
SCP Evaluation: SCPs are evaluated in addition to IAM policies. An effective permission is the intersection of the SCP boundary and the IAM policy. If either denies an action, the action is denied. SCPs do not affect the management account.
Consolidated Billing: A feature that combines usage across all accounts for volume discounts. It does not grant any access permissions.
AWS CloudTrail: Can be enabled to log all API calls in the organization, including management events.
Configuration and Verification
To create an organization via AWS CLI:
aws organizations create-organization --feature-set ALLOutput:
{
"Organization": {
"Id": "o-xxxxxxx",
"Arn": "arn:aws:organizations::123456789012:organization/o-xxxxxxx",
"FeatureSet": "ALL",
"MasterAccountId": "123456789012",
"MasterAccountEmail": "admin@example.com"
}
}To create an OU:
aws organizations create-organizational-unit --parent-id r-xxxx --name "Production"To create an SCP:
aws organizations create-policy --content file://policy.json --name "DenyS3Delete" --type SERVICE_CONTROL_POLICY --description "Deny S3 delete actions"To attach an SCP to an OU:
aws organizations attach-policy --policy-id p-xxxx --target-id ou-xxxxTo verify effective permissions, use the IAM policy simulator or check CloudTrail logs for denied actions.
Interaction with Related Technologies
IAM: SCPs work alongside IAM policies. IAM policies grant permissions to users/roles within an account; SCPs limit what those users/roles can do. For example, an IAM policy may grant s3:PutObject, but if an SCP denies s3:PutObject at the OU level, the action is denied.
AWS Control Tower: A service that automates the setup of a multi-account environment using Organizations, SCPs, and guardrails. Control Tower creates a landing zone with mandatory OUs and SCPs.
AWS SSO: Uses Organizations to manage user access across accounts. SSO integrates with SCPs to enforce permissions.
AWS Resource Access Manager (RAM): Allows sharing of resources across accounts within an organization without needing to create IAM roles.
AWS CloudFormation StackSets: Deploys stacks across multiple accounts in an organization, respecting SCP boundaries.
Best Practices for SCPs
Use SCPs to enforce security guardrails, such as denying access to non-compliant regions, preventing deletion of CloudTrail logs, or blocking root user actions.
Always test SCPs on a small OU before applying to the entire organization.
Remember that SCPs do not affect the management account. To protect the management account, use IAM policies and MFA.
Use the aws:SourceOrgID and aws:SourceOrgAccount condition keys in SCPs to restrict cross-account access.
Avoid overly restrictive SCPs that break AWS services (e.g., denying ec2:Describe* will break the EC2 console).
Common Exam Scenarios
SCP Effect on Root User: SCPs do not restrict the root user of the management account, but they do restrict root users of member accounts.
SCP and IAM Policy Combination: The effective permission is the intersection of the SCP and IAM policy. If SCP allows all actions but IAM denies, the action is denied. If SCP denies, the action is denied regardless of IAM.
Inheritance: SCPs attached to a parent OU apply to all child OUs and accounts. If multiple SCPs apply, the most restrictive (deny) wins.
Default FullAWSAccess: When you enable SCPs, the default SCP allows all actions. To restrict, you must attach a deny SCP or modify the default.
Management Account Exempt: The management account is not subject to SCPs, but it can still be affected by AWS service quotas and IAM policies.
Create an Organization
To start, you must create an organization from an AWS account that will become the management account. This is done via the AWS Organizations console, CLI, or API. The management account is the billing owner and has full administrative control. During creation, you choose between two feature sets: 'All features' (enables SCPs, consolidated billing, etc.) or 'Consolidated billing only' (only billing consolidation, no SCPs). For SAA-C03, assume 'All features' is used. After creation, the organization root is automatically created. The management account cannot be changed; if you need to migrate, you must delete the organization and recreate.
Create Organizational Units
Next, you create OUs under the root to group accounts logically. For example, you might create OUs named 'Production', 'Development', and 'Sandbox'. OUs can be nested up to 5 levels deep. Each OU has a unique ID (e.g., ou-xxxx). When creating an OU, you specify a parent (root or another OU). The hierarchy is flexible; you can move accounts between OUs at any time. OUs themselves do not have permissions; they are containers for policies and accounts.
Create and Attach SCPs
Service Control Policies are JSON documents that define allowed or denied actions. You create an SCP using the console or CLI, specifying a policy name and content. The policy uses the same syntax as IAM policies but with an 'Effect' of 'Allow' or 'Deny'. By default, when SCPs are enabled, the 'FullAWSAccess' SCP is attached to the root, allowing all actions. To restrict, you attach a custom SCP to an OU. The SCP applies to all accounts in that OU and its children. You can attach multiple SCPs to a node; the effective policy is the union of all allow statements intersected with the intersection of all deny statements (deny overrides allow).
Invite or Create Member Accounts
You can add member accounts by inviting existing AWS accounts or creating new ones directly from the Organizations console. When you invite an account, the owner must accept the invitation. For new accounts, you specify an email address and account name. AWS creates the account with a root user and IAM roles for admin access. The new account automatically becomes a member of the organization and is placed in the root OU by default. You can then move it to the appropriate OU. Member accounts are subject to SCPs applied to their OU.
Apply Policies and Verify
After attaching SCPs, you should verify that they are working as intended. Use the IAM policy simulator to test specific actions against a user/role in a member account. Alternatively, attempt the restricted action from a member account and check CloudTrail for an 'AccessDenied' error. Remember that SCPs take effect immediately after attachment. Also, verify that the management account remains unaffected. If you need to audit, use AWS Config rules or CloudTrail to monitor policy changes.
Enterprise Scenario 1: Financial Services Compliance
A large bank needs to enforce strict compliance across 500 AWS accounts. They use AWS Organizations with OUs for each business unit (e.g., Retail Banking, Investment Banking, Risk Management). SCPs are applied to deny access to non-US regions (to comply with data residency laws), prevent deletion of CloudTrail logs, and block the use of unapproved instance types. The bank also uses SCPs to require encryption on all S3 buckets (by denying s3:PutObject without the x-amz-server-side-encryption header). In production, they test SCPs on a 'Sandbox' OU first. A common misconfiguration is forgetting to exclude the management account from SCPs, but that is not needed as SCPs don't apply to it. However, they must ensure IAM policies in member accounts do not grant more permissions than allowed by SCPs. Performance is not an issue as SCPs are evaluated instantly. When a developer accidentally attaches a deny-all SCP to the root, all accounts (except management) lose access; recovery requires the management account to detach the SCP.
Enterprise Scenario 2: SaaS Provider Multi-Tenant Isolation
A SaaS company hosts customer environments in separate AWS accounts. They use Organizations with OUs per customer tier (e.g., Gold, Silver, Bronze). SCPs enforce network isolation: they deny creating security group rules that allow inbound traffic from 0.0.0.0/0, and they require all EC2 instances to be launched in a specific VPC. They also use SCPs to limit instance types to cost-effective families. The company creates new accounts programmatically via the AWS Organizations API and moves them to the appropriate OU. A common issue is that SCPs can break AWS services like AWS Lambda if they deny iam:PassRole for the Lambda service-linked role. They mitigate by using aws:SourceArn condition keys in SCPs to allow only specific actions. They also use AWS Control Tower to automate the setup, which pre-configures mandatory SCPs.
Enterprise Scenario 3: Multi-Account Billing and Cost Allocation
A media company uses consolidated billing to aggregate costs across 200 accounts. They create OUs by department (e.g., Engineering, Marketing, HR) and use cost allocation tags to track spending. SCPs are used to enforce tagging: they deny creating resources without required tags (e.g., CostCenter, Project). This is done by denying ec2:RunInstances unless the request includes the required tags (using condition keys). In production, they monitor CloudTrail for 'AccessDenied' errors to identify misconfigured SCPs. A common mistake is applying an SCP that denies iam:Create* to the entire organization, which breaks the ability to create new member accounts (since that requires iam:CreateAccount). They learned to exclude the management account from such SCPs (but SCPs don't apply to management anyway) and to use separate OUs for accounts that need to create IAM resources.
The SAA-C03 exam tests AWS Organizations primarily in the context of Secure Architectures (Domain 1.4: Secure multi-account strategies) and Cost Management (Domain 4.2: Billing and cost tools). Key objectives include: designing a multi-account hierarchy using OUs, applying SCPs to enforce security guardrails, and understanding the relationship between SCPs and IAM policies. The most common wrong answers on exam questions are:
SCPs grant permissions: Many candidates think SCPs work like IAM policies that grant access. In reality, SCPs only define a boundary; they do not grant permissions. The correct answer is that SCPs are used to restrict what actions are allowed, not to grant them.
SCPs affect the management account: Another frequent mistake is assuming SCPs apply to the management account. The exam emphasizes that the management account is exempt from SCPs. Questions may ask which account can bypass SCPs — the answer is always the management account.
SCPs are evaluated before IAM policies: Some think SCPs are evaluated first and IAM policies later. Actually, both are evaluated together, and the effective permission is the intersection. If either denies, the action is denied.
OUs can span multiple roots: Each organization has only one root. OUs are nested under that root. The exam may present a scenario with multiple roots as a distractor.
Specific numbers and terms that appear verbatim: maximum 5 levels of OU nesting, default SCP is 'FullAWSAccess', management account is not subject to SCPs, maximum 10,000 member accounts (default), and the aws:SourceOrgID condition key.
Edge cases: SCPs with 'Deny' effect override 'Allow' from other SCPs. If an SCP denies an action, it cannot be allowed by another SCP or IAM policy. Also, SCPs cannot be used to restrict the root user of the management account, but they can restrict root users of member accounts.
To eliminate wrong answers, focus on the mechanism: SCPs are guardrails, not grants. If a question asks for a way to enforce a mandatory encryption policy across all accounts, the answer is an SCP with a deny for unencrypted operations, not an IAM policy. Also, remember that consolidated billing alone does not provide any access control.
AWS Organizations allows up to 10,000 member accounts (default) in a single organization.
OU nesting is limited to 5 levels deep.
SCPs do not affect the management account; they apply only to member accounts.
The default SCP attached to the root is 'FullAWSAccess', which allows all actions.
SCPs define a permission boundary; effective permissions are the intersection of SCP and IAM policies.
Consolidated billing is a feature of Organizations but does not provide access control.
SCPs can use condition keys like `aws:SourceOrgID` to restrict cross-account access.
These come up on the exam all the time. Here's how to tell them apart.
Service Control Policy (SCP)
Applies to an entire AWS account or OU within an organization.
Defines a permission boundary; does not grant permissions.
Cannot be used to grant access; only to deny or allow actions within the boundary.
Not affected by the management account; management account is exempt.
Evaluated as a guardrail; effective permissions are the intersection of SCP and IAM.
IAM Policy
Applies to a specific IAM user, group, or role within an account.
Grants permissions to perform actions on AWS resources.
Can be used to grant or deny access directly.
Applies to all accounts, including management account (but management account can have full admin IAM policies).
Evaluated as part of the access control; effective permissions are the intersection of SCP and IAM.
AWS Organizations
Free service for managing multiple accounts.
Provides account hierarchy and policy management (SCPs).
Manual setup of OUs and policies.
No automatic guardrails or compliance monitoring.
Requires manual creation of accounts and policies.
AWS Control Tower
Paid service (costs for some features, but basic setup is free).
Automates the creation of a multi-account environment using Organizations.
Pre-configures OUs and mandatory SCPs (guardrails).
Provides automated compliance monitoring and dashboards.
Uses AWS Organizations under the hood but adds a landing zone and automation.
Mistake
Service Control Policies (SCPs) grant permissions to accounts.
Correct
SCPs do not grant permissions; they define a maximum permission boundary. Permissions are granted by IAM policies within each account. SCPs only restrict what actions are allowed; they never enable actions that are not already allowed by IAM.
Mistake
SCPs apply to the management account of the organization.
Correct
The management account is exempt from SCPs. Only member accounts are subject to SCPs. This allows the management account to administer the organization without being restricted by the same policies.
Mistake
You can have multiple roots in an AWS Organization.
Correct
Each AWS Organization has exactly one root. All accounts and OUs are under this single root. You cannot create additional roots.
Mistake
SCPs are evaluated before IAM policies, so if SCP allows, IAM must also allow.
Correct
SCPs and IAM policies are evaluated together. The effective permission is the intersection of both. If either denies, the action is denied. There is no ordering; both must allow for the action to succeed.
Mistake
Consolidated billing in AWS Organizations provides access control across accounts.
Correct
Consolidated billing only aggregates costs for volume discounts. It does not provide any access control or permission management. Access control is handled by SCPs and IAM.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, SCPs do not apply to the management account. The management account is exempt from SCPs to ensure it can always administer the organization. However, IAM policies still apply to users and roles in the management account. This is a common exam point: if a question asks which account is not affected by SCPs, the answer is the management account.
An SCP defines a permission boundary for an entire account or OU within an organization, while an IAM policy grants permissions to specific users, groups, or roles within an account. SCPs do not grant permissions; they only restrict what actions are allowed. IAM policies can both grant and deny permissions. The effective permission for a user is the intersection of the SCP boundary and the IAM policy.
You can create an SCP that denies `s3:PutObject` unless the request includes the `x-amz-server-side-encryption` header. For example: `{"Effect": "Deny", "Action": "s3:PutObject", "Resource": "*", "Condition": {"Null": {"s3:x-amz-server-side-encryption": "true"}}}`. Attach this SCP to the root or relevant OUs. Note that this does not encrypt existing objects; you need additional policies for that.
Yes, SCPs apply to the root user of member accounts. For example, you can deny `iam:CreateUser` for the root user. However, SCPs do not apply to the root user of the management account. This is an important exam distinction: root user of member accounts is restricted by SCPs, but root user of management account is not.
If you attach an SCP that denies all actions (e.g., `{"Effect": "Deny", "Action": "*", "Resource": "*"}`) to the root, all member accounts will lose access to all AWS services. The management account remains unaffected. To recover, you must use the management account to detach or modify the SCP. This is a dangerous scenario tested on the exam.
You can use IAM roles with trust policies that allow access from other accounts in the organization. To restrict which accounts can assume the role, use the `aws:SourceOrgID` condition key in the trust policy. This ensures only accounts within your organization can assume the role. SCPs can also be used to deny cross-account access if needed.
There is no hard limit on the number of OUs, but the nesting depth is limited to 5 levels. You can have many OUs at the same level. However, best practice is to keep the hierarchy simple to avoid complexity.
You've just covered AWS Organizations: OUs, SCPs, and Hierarchy — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?